It has a particularly useful application in the context of network security, and notably in protecting against attacks emanating from computers infected by malware and organized in a network. The English term “botnet” is usually used to designate such a network of infected computers remotely controlled by attackers without the knowledge of the legitimate users of the computers. Botnets are usually used to send unsolicited communications (usually referred to as “spam”), for perpetrating phishing attacks, according to the English term, intended to retrieve personal information, or for benefiting from the computing power offered by the computers on the network for performing distributed computing operations, e.g. for breaking passwords, etc.
Such a network of infected computers is commanded by a command server managed by an attacker. The role of this command server is to enable instructions to be sent to the infected computers of the botnet, such as orders to attack or update instructions, or to collect information stolen by the malware installed on the computers of the botnet without the knowledge of the legitimate users. In order to communicate with their command server, the infected computers of the botnet, more precisely the malware installed on these computers, need to localize it. Most of the time they use the “DNS” (“Domain Name System” in English) protocol which can be used to obtain from a domain name associated with a machine, here the command server, the IP address of this machine. In a first case, the computers have stored the domain name of the command server. However, having a fixed domain name facilitates identifying the attacker and setting up countermeasures intended to overcome attacks emanating from the network of infected computers. In a second case, more widespread, the infected computers use pseudo-randomly generated domain names. The command server and the infected computers thus share the same domain name generation algorithm. The command server reserves a few domain names generated by this algorithm, i.e. it registers with a DNS server on the network an association between the few names that it wishes to reserve and the IP address of the command server. An infected computer then sends successive resolution requests with the pseudo-randomly generated domain names until receiving a response from the DNS server specifying an IP address that corresponds to the IP address of the command server. These few reserved domain names constitute meeting points between the infected computers and the command server. The meeting points enable the attackers to make their botnet more resilient to conventional countermeasures.
Clearly in order to overcome the attacks emanating from a botnet, it is important to localize and paralyze communications between the command server of the botnet and the infected computers. Currently, several methods exist.
A first known method is to set up a black list of malicious domain names in the DNS servers of the Internet access providers. The black list is constructed, for example, by disassembling the malware code and by obtaining the pseudo-random domain name generation algorithm. Resolution requests relating to domain names that appear in the black list may thus be intercepted by the DNS server, and retransmitted to a security server for processing. An invalid IP address or a DNS error may then be provided in response to the resolution request. However, in the event of a connection failure or DNS error, the malware tests other possible meeting points until it ends up at a valid meeting point.
Another known method consists, following a DNS request concerning a domain name appearing in the domain name black list, in responding to the resolution request by sending the IP address of a security server controlled by a security administration entity. The security server then replaces the control server of the attacker in communication with the infected computers. The malware then attempts to establish a connection with the security server believing it is being connected to the command server. The security server then makes use of this connection and sends commands to the infected machines in order to disrupt, or even block the operation of the malware. This solution has the advantage that the malware does not seek to connect to another meeting point. However, a parry set up by attackers consists in using encrypted connections, with encryption keys shared between the command server and the malware of the infected machines. Thus, a security server which attempts to establish a connection with an infected computer cannot communicate with this computer since it does not have the necessary keys for the encryption/decryption of communications with the infected computer. The infected computer, detecting that it is not in dialog with the command server then seeks to connect to another meeting point.
Currently, there is no satisfactory solution for countering attacks originating from computers organized in a “botnet” and commanded by a command server controlled by an attacker.